Archiv der Kategorie: Security

If we go way back, we will discover that some time ago there were already ancillary CPUs in our computers. The floppy disk drive of the C64 had a CPU very similar to the one in the computer itself, but very little memory and it was hard, though not impossible, to make use of it. I never really tried. The PC-keyboards had CPUs, it was told that a Z80 or 8080 or something like that was built into them. I never bothered to find out.

Now this concept is not at all new, but was already used 35 years ago. So the question is, if our computers still have such hidden CPUs. This seems to be the case and it is easy to search for „hidden CPUs“ or „secret CPUs“. And it would be extremely strange to expect anything different. They do not have compute power for us, but just run and manage hardware, that appears to be just hardware from the point of view of our main CPU, that we can program. So why not just consider this as hardware and ignore the „secret“ or „hidden“ CPUs and see them as implementation detail of the hardware. That is a very legitimate approach and to be honest what we do most of the time.

The issue is more delicate now, because these hidden CPUs can access the internet, even when the computer is turned off or seems to be offline. There are tools to analyze the network traffic and to detect this. But we should start to become aware of this invisible world that is potentially as dangerous as visible malware. And this applies to all kinds of devices, especially cell phones, tablets, routers, TV-sets and all „things“ that have their own CPU power and network access…

It seems that the parts of the source code of Apple’s iOS 9 have leaked via github. They might have been removed from there, while you are reading this, but probably they will be passed around in the internet anyway.

Some sources say that this is a risk to security. It might be, but in the end cryptography specialists tend to consider the availability of the source code as an advantage for security, because it can be analyzed by everyone, vulnerabilities can be found and published and of course more easily be corrected if the source is available to everyone. Hiding the source code is some kind of „security by obfuscation“, which is not really a strong mechanism and it should be based on verifiable secure mechanisms, as successfully applied by Linux and other open source operating systems. But this might not be fully true, if the sources are just passed around in somewhat closed circles and not easily available to the general public.

This does not make iOS open source, because the licenses that Apple imposes on their software are still valid and to my understanding they do not make this part of the system open source, which means much more than just being able to read the source code of a certain version that might already be outdated. Please observe that if the source code that you might find on github is really coming from Apple, their original license and not the one mentioned in github applies.

To put Jail breaking somewhere near security breaches is wrong, because this is an action done by the owner of the device with his or her own device at own risk. This should be everyone’s right to do so and there should be nothing wrong with making it easier. I know, we are not living in a perfect world…

So please relax. If Apple has done a good job, there will not be too bad exploits and if they are still doing a good job, they will quickly fix any exploits that show up. And if you like to have an open source system, you should still consider using something else.

When comparing string, of course spaces count as well and they should count. To ignore them, we can normalize strings. Typical white space normalization includes the following (Perl regular expressions):

/[ \t]+/ /g replace any sequence of tabs and spaces used to separate content by one space.

/\r\n/\n/g replace carriage return + linefeed by linefeed only.

/\s+$// remove trailing whitespace.

/^\s+// remove leading whitespace.

More or less it is often useful to do something like this when comparing strings that originally come from outside sources and are not normalized, but only „the content“ counts. There can be more sophisticated rules, to deal with no-break-space, with control characters, with trailing spaces at the end of each line or only at the end of the whole thing or replacing multiple empty lines by just one empty line. Just the general idea is to think about the right normalization.

In some cases, like long numbers, spaces or other symbols are used to group digits. These should also be removed. Sometimes more specific rules apply, like for phone numbers, web sites, email addresses etc. that need to be done specifically for this type, hopefully using an adequate library.

More often than not we see that web sites do not do this properly. Quite often an information has to be entered and it is not normalized prior to further processing. So credit card numbers or IBAN numbers are rejected because of spaces or anything because of trailing spaces, of course with an error message that does not give us a hint about what was the problem.

For serious application there needs to be a serious processing step for data coming from outside anyway, for security reasons. Even though SQL injection should not work due to sound SQL-placeholder usage, it is a good practice to check the data anyway and reject it early and with a meaningful message. Should I trust the security of a site that cannot deal with spaces in a credit card number for giving them my card number? I am not sure.

It is about time that UI developers get into the habit of doing the proper processing, normalization and checks for user input. Beware that any security relevant checks need to be done on the server or on the server as well.

The WPA2 protocol has been compromised. The so called KRACK attack allows reading encrypted content.
It was always a good idea to use encrypted communication on top of WPA2 for sensitive data, like https, ssh or a VPN. This practice has been recommended in this blog before, which was again inspired by what Bruce Schneier wrote about it.

Anyway, we should certainly start of thinking of WLANs with WPA2 encryption as a useful transport mechanism, but not as a very secure mechanism to encrypt data. At least from now on we should use other encrypted protocols on top of WPA2 where appropriate or use cable networks for internal communication that we do not want to encrypt additionally.

We use our computers and other devices everywhere. While phones are of course equipped with a SIM card that at least part of the time allows relatively cheap internet access via the GSM-network (of course today UMTS or LTE or whatever comes next), laptops usually do not have SIM cards, even though they could. So we rely on these WLANs that we find in Cafés, gas stations, shops, hotels, camp ground, airports, train stations, trains and sometimes even in cities. While we are used to paying for our SIM cards monthly fees or even volume based fees, the question if it should cost money to use a WLAN is still open. Some years ago the WLAN cost extra in most places. The problem was, that the effort for collecting the money was by some orders of magnitude higher than the effort for actually providing the WLAN, resulting in prices that were way too high. So the normal model is now that we pay for the camping, train, flight, hotel, coffee or whatever and some very very tiny fraction of this money is used to implement the WLAN. It does not hurt the people, who do not use it, because it is so little.

Now there are some ways to get into WLANs, which we all know too well:

Open WLAN: just use it

Password for WLAN required

„Open“ WLAN, need to confirm the conditions

„Open“ WLAN, need to provide phone number or email address with some verification

„Open“ WLAN, need to give username + password on some page

While (1) is of course ok from a user point of view and (2) works very well for small sites like hotels, the other approaches are somewhat problematic and fragile.

They all rely on the assumption that the device uses the DNS as is provided by DHCP from the WLAN or on an intercepting proxy. Anyway, the network is in two different states. In the first state it does not behave regularly, but going to any page with the browser will actually lead to the login page. The internet will not work in the beginning, even though at network level everything is there, just the routing or maybe the DNS or the Web-Caching are skrewed up. My phone detects such a skrewed up internet and by itself opens the „login“-page by going to www.google.com, which of course is today https://www.google.com/. It won’t work, because it leads to a fake „www.google.com“, so the https-certificate is not correct and the browser refuses to show it, unless we really ask for an exception, which I would not recommend. Knowing this, we can always overcome the problem by just surfing to any site that is still not https and that is not in the browser cache. This is going to become harder, but is still possible. Is it ugly? I would think so. Even worse, there is a time window for doing this, and sometimes the login does not really work well, so we need to try it over and over again, until it finally works or we give up and use the phone as a temporary WLAN-router, hoping it will not break out of our free Megabytes. Verifying a phone number is not too bad, because via SMS there is a channel independent from the WLAN to transmit the verification code. Do we have a phone? I guess so, people without phone are really very rare, so I would consider that ok. Why do they need this information? Should they ask for it? I do not think so… It depends of course how much we trust in our current and future democracy and in our government and company organizations constraining themselves to legal and ethical conduct. But from a purly technical point of view this kind of works. The email is kind of cute. To confirm it, we need access to our email system, which in turn already requires internet. But it happens. Just confirming „terms and conditions“ is also kind of cute, because the option of actually reading them is offered, but rarely used. And they would know it, if they just looked into their logs.

So I would really love to just use the internet and I would really love to rely on people using the internet to behave legally and ethically without going through long terms and conditions. Maybe those who provide the internet need these, to ensure that they do not have to pay for fallacies of their internet users, but making them pay is not really a good idea. A criminal offense is the fault of a criminal and not of those who provide some common infrastructure for communication that is in no way specific to criminal activity. Actually those who are somewhat skilled in criminal activities also know their ways to hide their identity when using some WLAN.

The last one is kind of tricky. It does have some justification, because it allows for more fine granular access. But it still uses somewhat broken mechanisms by providing a broken internet to log in and then the working internet. I think it would be better to extend the WLAN standard to provide for a username+password-login instead of only using a password for the WLAN.

Btw., I recommend to assume that the WLAN is not safe and always run a firewall against the WLAN and do delicate access to other systems via the WLAN using a vpn like OpenVPN or of course encrypted variants of common internet protocols like ssh, https etc. The older WLAN encryption standard was just a joke. The current one is kind of ok but I prefer not to trust it. Since we use our devices in all kinds of WLANs anyway, trusting some WLANs and not trusting others is just too much risk in terms of misconfiguration. And as soon as we are accessible via the internet, the attackers are already there and scanning ports and some common URLs. If they are in the WLAN or not, I do not want to rely on them not being there…

This issue is quite controversial and it applies to laptops, tablets and smart phones.
Usually the „bringing“ is not really an issue, you can have anything in your bags and connect it via the mobile phone network as long as it does not absorb the working time.
But usually this implies a bit more.
There are some advantages in having company emails and calendar on a smart phone. This is convenient and useful. But there are some security concerns that should be taken serious. How is the calendar and the emails accessed? How confidential are the emails? Do they pass through servers that we do not trust? What happens, if a phone gets lost?
This is an area, where security concerns are often not taken too serious, because it is cool for top manager to have such devices. And they can just override any worries and concerns, if they like.
This can be compensated by being more restrictive in other areas. 😉
Anyway, the questions should be answered. In addition, the personal preferences for a certain type of phone are very strong. So the phone provided by the company might not be the one that the employee prefers, so there is a big desire to use the own phone or one that is similar to the own phone, which depends on the question of who pays the bills, how much of private telephony is allowed on the company phone and if there are work related calls to abusive times.
Generally the desirable path is to accept this and to find ways to make this secure.

The other issue is about the computer we work with. For some kind of jobs it is clear that the computer of the company is used, for example when selling railroad tickets or working in the post office or in a bank serving customers.

It shows that more creative people and more IT-oriented people like to have more control on the computer they work with.
We like to have hardware that is powerful enough to do the job. We like to be able to install software that helps us do our job. We like to use the OS and the software that we are skilled with. Sometimes it is already useful to be able to install this on the company computer or in a virtual computer within the company computer. Does the company allow this? It should, with some reasonable guidelines.

Some companies allow their employees to use their own laptops instead. They might give some money to pay for this and expect a certain level of equipment for that. Or just allow the employees to buy a laptop with their own money and use it instead of the company computer. They will do so and happily spend the money, even though it is wrong and the company should pay it. But the pain of spending some of the own money is for many people less than the pain of having to use crappy company equipment.

This rises the question of the network drive Q:, the outlook, MS-Word, MS-Excel,…
Actually this is not so much an issue, at least for the group we are talking here. Or becoming less of an issue.
Drive Q: can quite well be accessed from Linux, if the company policies allow it. But actually modern working patterns do not need this any more.
We can use a Wiki, like MediaWiki or Confluence for documentation. This is actually a bit better in many cases and I would see a trend in this direction, at least for IT-oriented teams.
Office-Formats and Email are more and more providing Web-Applications that can be used to work with them on Linux, for example. And MS-Office is already available for Linux, at least for Android, which is a Linux Variant. It might or might not come for Desktop Linux. LibreOffice is most of the time a useful replacement. Maybe better, maybe almost as good, depending on perspective… And there is always the possibility to have a virtual computer running MS-Windows for the absolutely mandatory MS-Windows-programs, if they actually exist. Such an image could be provided and maintained by the company instead of a company computer.

It is better to let the people work. To allow them to use useful tools. To pay them for bringing their own laptop or to allow them to install what they want on the company laptop. I have seen people who quit their job because of issues like this. The whole expensive MS-Windows-oriented universe that has been built in companies for a lot of money proves to be obsolete in some areas. A Wiki, a source code repository, … these things can be accessed over the internet using ssh or https. They can be hosted by third parties, if we trust the third party. Or they can be hosted by the company itself. Some companies work with distributed teams…

It is of course important to figure out a good security policy that allows working with „own“ devices and still provide a sufficient level of security. Maybe we just have to get used to other ways of working and to learn how to solve the problems that they bring us. In the end of the day we will see which companies are more successful. It depends on many factors, but the ability to provide a innovative and powerful IT and to have good people working there and actually getting stuff done is often an important factor.

The malware WannaCry became quite well known, especially because it manifested itself on the displays of the German federal railroad and it even blocked most of the hospital infrastructure in the UK. Find some discussion on Bruce Schneier’s Blog… You find a a href=“https://www.schneier.com/blog/archives/2017/05/did_north_korea_1.html“>more elaborate article on his blog as well. Read Bruce’s blog article, he knows more about security than I do… 🙂

We might have observed, that this attack was targeting MS-Windows computers. The argument, that this is just because MS-Windows computers are more common, is no longer true. But the argument, that the MS-Windows developers just did a lousy job does not hold either. It was true 10, 15, 20, 25 years ago. We have seen it. But today I would assume, that they have improved and are doing a good job.

There is an argument, to favor open source over closed source for security reasons. If a software is open source, it is much more difficult to incorporate malicious features like backdoors into it or to leave security holes open by mistake, because the source code can be analyzed and fixed by anybody who has access to the internet and the capabilities. This is no guarantee, but it is a good thing.

The other argument is more like a question. How close are US companies to US government agencies? Do they do each other little favors? We do not know.

In any way, the people who did this malware attack are criminals and I regret that this has caused so much damage. Fortunately criminals are relatively rare. So the frequency of encountering them in daily life is usually not so high, unless we live in especially crime infested areas. But the internet connects us with criminals all over the world and allows them to damage us. So it might be ok in a good neighborhood not to lock the door or not to lock the bicycle. It gives a good feeling to trust our neighbors. But in the internet, the bad guys are there for sure and they will discover our unlocked virtual door. We can rely on that.

Calculator

Due to calculator PIN/Password some security agains theft/loss of device

Practical Questions:

Always forgotten calculator

Expensive hardware required

Summary:

This method is potentially quite good, if it is done well with good algorithms and good data.

Number Generator

On login page enter 6-digit code from RSA device in addition to username+password

Security issues

Looks good because it comes from RSA

Does the timing always work well enough in sync (apparently yes)?

Device can be stolen, no additional protection

No Challenge-Response, not as good as the calculator

Practical issues:

Device is small enough to be in the pocket all the time

Device is quite expensive

SMS

Enter username and password

Receive code by SMS

Enter Code

Security issues

How secure is the mobile network?

How secure is the phone? Not-so-smart phones are better. Ideally use the old Nokia phone for this with a prepaid SIM-card

For m-banking two phones are needed or the security is much lower

Practical issues

Phone is in the pocket

But if an additional phone is needed just for this not very practical any more

Sometimes SMS get lost

some people play with many SIM cards (not a common problem)

Battery of phone can be empty (only a problem for older generation)

Summary

This seems to be a solid mechanism, but is slightly inferior to the calculator.

Sheet with 100 codes

Login with username and password

Page requests code with a given number from a given sheet.

Each number is used only once

New sheet supplied when 80% used up

Security issues

Depends on quality of numbers

Paper can be lost or stolen

Printing and handling of numbers leaves a lot of vulnerability which is hard to control.

Practical issues

Paper needs to be managed by bank and customer

Needs to be in the luggage or as image on the phone

Needs to be stored carefully

Summary

Mechanism seems to be in the middle field. Apart from being uncool the mechanism is not so bad, but it is inferior to the calculator.

Android App

Can off course technically work for your favorite smart phone, even if it is not Android… 😉

Login with username and password

A colored code is displayed:

Run Android App which takes a photo of the code and provides a 6 digit code plus some information.

Enter that for login

Remark: the App needs to be personalized, so it is only working for the own e-banking, not for someone elses.

Security issues

No password within App

Depends on keeping phone safe

Positive is that it is so easy that it can be used a lot, even for verifiying single bookings to an unknown receipient

The code can transport information that can be displayed in the

Practical issues

Requires Smart phone that supports the App

Phone is always in the pocket

USB-Device

An USB-device is plugged into the PC. It can be „smart“ and communicate directly with the server. Can also provide secure browser or even boot PC into a specially safety-hardened Linux distribution.

I have only theoretical knowledge about this, not used it.

Security issues

Has a lot of potential

A „bad PC“ can be a problem, but there are ways to implement this that are quite secure, as long as encrypted data traffic is considered secure at all. If not, we should forget the internet for anything that requires any non-trivial level of security.

Practical issues

requires special USB-stick

USB is disabled or „castrated“ on many PCs, so it might be hard to let the PC accept the device

Are there „device driver issues“?

Smart Card

This is just like the USB device, but with a chip card instead of an USB device.

Username + Password

For ebanking not enough (some banks don’t care)

For „simple“ apps it is a pain to keep usernames and passwords safe on server

Still „easy default“

How about user management?

Security issues

This has the lowest security of all mechanisms presented here.

user and password database is always a risk

Login with Google

Use google+, facebook, twitter etc. for login

Assume Google here…

Login into google (you normally are anyway…)

Click login with google

First time google asks if it is ok to provide the identity information to web page xyz

In Google settings this can be removed…

Security issues:

Do we want to have NSA-connected companies involved in our login process?

User management is something that the big guys claim to do well

OAuth2 is our friend for this, it is not so hard to do

Just remember this

Always use https when serious about security

http means transmitting password unencrypted and making some of our „friends“ who could intercept traffic very happy

In the good old days, when the participants of the Internet still kind of knew each other, it was reasonable to trust each other, because the bad guys where not likely among the few and they did not have much to gain there from an ordinary user. So it was common to use telnet or rlogin or sethost to connect to other computers. Usually the password was transmitted unencrypted, which was actually quite irresponsible.

Today we have to use ssh instead and it does pretty much what telnet could do in the old days, but also quite a bit more, even much more than can be mentioned in these lines. It is not only important to transmit the password in an encrypted way, but also to ensure that the other side is really the desired node, not some man in the middle, trying to capture the password, which would leave us where we were with telnet.

For this purpose the .ssh-directory contains those certificates, which are files like id_rsa and id_rsa.pub. The id_rsa should be kept safe. They must not be given away, but they should also not be changed, which means that they should not be lost, because they are hard to reproduce, otherwise they would not be secret. The security of the whole protocol depends on this. With ssh-keygen it is possible to create such certificates, optionally in such a way that a password needs to be provided prior to using it. This password remains within the local computer. Certificates have fingerprints, that can be shown with ssh-keygen -l. Exactly this fingerprint will be shown when logging into a node from some other node for the first time and it needs to be confirmed. So it is important to make sure that the fingerprints have been transferred on a safe channel prior to this login, because otherwise we could possibly just confirm the fingerprint of the man in the middle. This is like with infectious diseases. It is necessary to work in a very hygienic way all the way, otherwise the security is at risk. A good way might be to start the first ssh-session to some node in a cabled network, where the cable and network topology is well known and trusted and simple enough to assume that the network traffic really goes to the desired host. Another way is to write down the fingerprint on paper or to print it or to use a USB stick to copy it to the host from which ssh is initiated. With this first login an entry to .ssh/known_hosts is created, which will be used subsequently. As long as .ssh/known_hosts contains no corrupted entries, it will be very hard for a man in the middle to do his evil job and the whole process provides a reasonable level of security.

Now the public key from id_rsa.pub of the own computer can be transferred to the remote computer and added to .ssh/authorized_keys on the remote hosts. This results in the possibility to log into that host without the need to enter a password, unless the local certificate needs a password, which it should in such a case. For convenience this password needs to be typed only once per session by calling ssh-add.

ssh is used even for other purposes, because it supports tunneling of other protocols like subversion or git.

Very beautiful is the possibility to use ssh in conjunction with X11 by calling
ssh -X user@host

This allows to start graphical applications on the remote computer and they are displayed on the local computer. The x11-windowing system is network enabled and uses the ssh tunnel.

Redirection of displays has been common practice in the Unix and Linux-world for more than 25 years, but with ssh it is much more secure than with the unencrypted protocols that ware used in the old days. Who of you still knows xhost +?

All of this is referring to ssh for Linux, but it should work exactly the same way on all kinds of recent Unix systems like Solaris or BSD variants. On MS-Windows-computers it is possible and useful to install putty. Many of the capabilities of ssh can be found in putty as well, just packaged and used in a different way. I actually prefer to use cygwin and its ssh implementation on MS-Windows, which is very similar to the Linux-ssh. It is even possible to build up an ssh-server with MS-Windows using cygwin, but this is not so easy.